Akamai Diversity
Home > Web Security

Recently in Web Security Category

Written by Meyer Potashman

On May 25, 2018, the EU General Data Protection Regulation (GDPR) went into effect. In preparation, Akamai, like every other company that does business with or interacts in any way with individuals in the EU, needed to re-evaluate our approach to data protection and privacy to ensure that we are compliant with the new law. Since GDPR requires that companies evaluate the privacy practices of their suppliers and subcontractors, customers have been asking us about how we protect the personal data on our platform from both a privacy and security perspective. In this blog post, we discuss how our InfoSec team approaches some of these considerations.

Earlier this year, Akamai mitigated the largest DDoS attack in its history, fueled by a new reflector, memcached. The attack targeted one of our software clients and broke through the 1 Tbps threshold for the first time. Memcached was developed to act as a distributed memory caching system. Since the protocol uses UDP, an insecure protocol, and carries the potential for tremendous amplification, it has the key traits of a successful reflection-based attack vector. This Attack Spotlight takes a deeper look into the memcached attack vector that redefined the term "largest attack" and is the first part of our State of the Internet Security Summer 2018 report.

Akamai CEO and co-founder Tom Leighton discusses the company's cybersecurity and data protection business. He speaks with Caroline Hyde from the Boston Institute of Contemporary Art on Bloomberg Technology. (Source: Bloomberg)

Part 2: The Dark Side of APIs

Ryan Barnett, Principal Security Researcher, Akamai

Elad Shuster, Senior Security Researcher, Akamai

During its research into Credential Abuse attack campaigns, Akamai's threat research team conducted an analysis of web logins to gain insights into how widespread the adoption of API-based logins is and whether or not this trend also affects attackers and attack campaigns.  It will come as no surprise that API-based logins are highly targeted by credential abuse attackers for a variety of reason.

 

The Dark Side of APIs: Part 1, API Overview

Ryan Barnett, Principal Security Researcher, Akamai

Elad Shuster, Senior Security Researcher, Akamai

 

API Overview

Application Programming Interfaces (API) are a software design approach which enables software and system developers to integrate with other systems based on a defined set of communication methods. APIs serve as software building blocks and allow for software reuse - essentially allowing fast development of new systems based on existing capabilities.


Overview

Credential abuse (CA) is a trend that is here to stay. It affects almost every one of us. There are attackers trying to break into every online account and the vast majority of these attacks are happening silently in the background. In the past, credential abuse tools were written and distributed in closed forums and among air-gapped societies. Now, they are widely available; there is a highly active market trade of "cookbooks" - configurations and instructions on how to perform successful logins against a website.

 

Days of clear-text HTTP, the original but insecure foundation for data communication over the web, are numbered. Over the past few years, Google (and others such as the Internet Architecture Board, Mozilla, and Apple) have nudged developers to encrypt and authenticate their websites using HTTPS which layers HTTP over TLS (Transport Layer Security). This includes measures such as ranking HTTP sites lower in Google search results, not supporting powerful features such as geolocation and service workers, and marking a large subset of HTTP sites as "not secure". As a result, there has been a significant increase in the adoption of HTTPS, resulting in a more secure World Wide Web.

memcached, now with extortion!

Over the past week, memcached reflection attacks have taken the DDoS scene by storm.  With several attacks hitting organizations across many industries, including a record breaking 1.3Tbps attack against an Akamai customer.  Akamai has observed a new trend in extortion attempts using memcached payloads to deliver the message.

 

Memcached-fueled 1.3 Tbps attacks

At 17:28 GMT, February 28th, Akamai experienced a 1.3 Tbps DDoS attack against one of our customers, a software development company, driven by memcached reflection. This attack was the largest attack seen to date by Akamai, more than twice the size of the September, 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed. Because of memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long.

 

Memcached UDP Reflection Attacks

Akamai is aware of a new DDoS reflection attack vector: UDP-based memcached traffic.  Memcached is a tool meant to cache data and reduce strain on heavier data stores, like disk or databases. The protocol allows the server to be queried for information about key value stores and is only intended to be used on systems that are not exposed to the Internet. There is no authentication required with memcached.  When this is added to the ability to spoof IP addresses of UDP traffic, the protocol can be easily abused as a reflector when it is exposed to the Internet. Akamai has seen multiple attacks, some  in excess of 190 Gbps,  with the potential for much larger attacks.